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1. Introductions and apologies 


1.1. Elizabeth Denham was welcomed to this, her first, Audit 
Committee meeting here at the ICO. Paul Arnold was also 
welcomed as senior manager responsible for finance and 
other related matters for an interim period. 


1.2. There were apologies from James Edmands at the NAO 
who was unable to attend. 


2. Declaration of interests 


2.1. lan Watmore advised the Committee that he was in the 
process of being appointed Head of the Civil Service 
Commission. His new role would start on 1 October and in 
consequence lan had advised the Commissioner that he 
would be resigning his position at the ICO as of 30 
September. This would be his last Audit Committee meeting. 


2.2. On behalf of the Committee Ailsa Beaton stated that lan 
would be sorely missed by the Committee and the ICO. 
Elizabeth Denham also thanked lan for his advice and 
support. The Committee wished lan all the best for the 
future. 


2.3. Elizabeth Denham confirmed that Ailsa Beaton would be 
the future chair of the Audit Committee. It was also 
confirmed that the Committee was quorate with two 
members. 


3. Action points from the Audit Committee meeting of the 6 J une 


3.1; The action points from the last meeting had been 
cleared. 
3.2. The Committee expressed its thanks to both the NAO 


and BDO for their cooperation in expediting the certification 
of the ICO Annual Report and Accounts in June; allowing the 
departing Commissioner to present the Annual Report and 
Account on the last day of his tenure. Peter Bloomfield was 
also thanked for managing the process. 


4. Commissioner’s update 


4.1. Elizabeth Denham provided an update on issues 
affecting the ICO from her perspective. She explained that 
she had been in post for eight weeks, getting to know staff, 
how the ICO ran, meeting key stakeholders and 
understanding better the issues the ICO faced; all at a time 


of uncertainty following the EU referendum result. Five out of 
the six areas of legislation the ICO regulates are EU based. 
Elizabeth had also met with the internal auditors and 
reviewed the |CO’s financial position. 


4.2. Elizabeth outlined her plans to review the ICO’s 
information rights strategy (the document had not been 
reviewed for some time), communications strategy, and 
international strategy. She had also identified a need for a 
greater ICO presence in London in order to spend more time 
with politicians and representative groups. 


4.3. Elizabeth had already met both officials from the 
Department for Media Culture and Sport (DCMS) and the 
Department for Exiting the EU. A meeting with the Minister 
with responsibility for data protection, Matt Hancock MP, was 
also scheduled. 


4.4. Initial thoughts on the future direction of the ICO 
related very much to technological change and the 
implications for information rights, a theme which was to be 
explored at a Senior Management Team planning day 
tomorrow. The ICO had to invest and have more capacity in 
the office to respond to the application of technology and 
cyber-security; building greater connections with universities 
and technology companies. 


4.5. This work would be taken forward with the support of 
the People Strategy and the ICO was in the process of 
recruiting a new Deputy Commissioner and two new Non- 
executive Directors. The ICO would be proactive in its 
handling of the recruitment exercises. 


4.6. It was also confirmed that the ICO was bidding to host 
two international conferences. 


4.7. The Committee supported increased presence in London 
and noted the challenge and opportunity for the ICO arising 
from the UK’s EU exit. 


. Change Programme update 


5.1. Simon Entwisle updated the Committee on the Change 
Programme which was steering the ICO through considerable 
change, primarily in preparing for the introduction across the 
EU in May 2018 of the General Data Protection Regulation. 
The ICO was also inputting into DCMS work on the future 
shape of data protection legislation. 


5.2. It was felt that engagement with staff on the project 
was good. A Change Programme Project Board currently met 
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fortnightly, but as the process embedded this would change 
to monthly. Initiatives around intelligence, engagement, the 
People Strategy were all being taken forward. 


Finance 


5.3: Paul Arnold introduced the finance report. The main 
issue was that July fee income (which funded data protection 
expenditure) had been below profile. The opportunity had 
been taken to validate ICO processes and it was felt that the 
dip was likely to be a one off. 


5.4. The ICO had also undertaken a mid-year review of its 
financial position and it was thought that forecasted fee 
income would cover all of the ICO’s new initiatives. Budgets 
across the business were also on track. 


5.5; It was confirmed that the ICO was expecting a surplus 
at the end of the financial year. 
5.6. Elizabeth Denham highlighted the possibility of setting 


up a grants and research budget to help support and 
stimulate discussion and ideas on information rights policy. A 
business case would be needed for DCMS and Treasury. The 
Committee’s view was that it would be useful to take this 
forward as quickly as possible. 


5.7. The Committee was also updated on the Finance 
Improvement Project. A temporary systems accountant had 
begun work today to take forward the work to improve the 
ICO’s financial systems. The Team had also met the system 
developers and discussed upgrades to the purchase 
management system and adding a banking system. 


5.8. The Committee asked about the collection of civil 
monetary penalties and how decisions to write-off penalties 
were made. Elizabeth Denham highlighted the ICO’s wish to 
pursue directors personally and the ICO is also working with 
the Insolvency Agency on collecting penalties from companies 
that become insolvent. 


Action point 1: Simon Entwisle to clarify the legal 
position on writing off penalties for the next Audit 
Committee. 


6. Risk Register 


6.1. The risk register was introduced by Peter Bloomfield. 
There was a concern that the risk status after mitigation was 
too optimistic. 


Action point 2: Peter Bloomfield to review the risk 
status and to liaise with risk owners as to whether it 
needed changing. 


7. Outstanding audit recommendations 


7.1. The Committee considered the list of outstanding audit 
recommendations; both internal and external. 


7.2. It was confirmed that the forecast due date for 
recommendations covered by the Finance Improvement 
Project was to be changed to the 31 December in line with 
deadlines agreed at the J une Audit Committee. Clearance 
dates would also be added to the external audit 
recommendations. 


7.3. The Committee was updated on progress in developing 
and signing of the Management Agreement with the DCMS. A 
near final draft was currently with DCMS officials and it was 
expected to be formally agreed shortly. 


Action point 3: Peter Bloomfield to update the register 
as per the Committee discussion. 


8. Internal audit 


8.1. Paul Eckersley from Grant Thornton updated the 
Committee on the work on the fines recovery review; the 
fieldwork for which had just been completed. There were a 
few recommendations around improvement of process and 
one medium recommendation around consistency. 


8.2. There were a couple of reviews at the planning stage; of 
ICO cryptographic controls (starting 22" September) and the 
IT asset management review. 


8.3. There were minor changes to the internal budget 
including additional days for the cryptographic controls 
review and phased asset management review. 


8.4. In terms of the GDPR review the aim was to look at the 
processes the ICO had in place to manage the 
implementation. This was scheduled for the end of the 
calendar year; however, given the uncertainty following the 
EU referendum result, the views of the Committee were 
welcome. 


8.5. It was suggested that the name of the review be 
changed to the Data Protection Law Reform review. It was 
also thought that the review should be pushed back to Q4. 


Action point 4: Grant Thornton to update the audit plan 
in respect of the GDPR review. 


8.6. It was confirmed that it was possible to pull audits from 
the second year of the plan if this year’s programme was not 
completed. The level of audit had to be adequate to allow an 
audit opinion to be given. 


8.7. Grant Thornton confirmed that they had the resources 
in place to meet the plan as shown. 


8.8. Management side emphasised the need to spread audits 
throughout the year with the expected audits coming to the 
relevant Committee meeting. 


Action point 5: Peter Bloomfield and Grant Thornton to 
confirm the audits which would come to which Audit 
Committee. 


9. Any other urgent business 


9.1. Roger Barlow highlighted the need to change the date of 
the December meeting. Neil Bostock was to investigate 
options. 


10. Internal audit re-procurement 
Redacted 


